DHS, FBI analyze North Korean Hidden Cobra, FallChill

The US Department of Homeland Security (DHS) and US Federal Bureau of Investigation (FBI) have officially revealed the IP addresses that they say are used by the North Korean government to administer the RAT FallChill.

DHS, FBI analyze North Korean Hidden Cobra, FallChill

The US Department of Homeland Security (DHS) and US Federal Bureau of Investigation (FBI) have officially revealed the IP addresses that they say are used by the North Korean government to administer the RAT FallChill.

The two agencies worked with other government partners to connect the RAT and other indicators of compromise (IOC) with North Korea, the U.S. CERT reported in a 14 November alert.

Citing third-party reports, the DHS and FBI believe that Hidden Cobra, an APT whose malicious activity is linked to North Korea, has been using FallChill since 2016 to target defense, telecom and finance industries.

“The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim's system via dual proxies," the alert states. "FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors.”

FallChill and Hidden Cobra activity also appear to be mutually supporting each other. Hidden Cobra actors use a dropper to install FallChill to establish persistence and then use that presence to later install additional malware.

The alert details how Hidden Cobra stays in the shadows while it goes about its business. The APT group accomplishes this task by using layers of fake transport layer security between the attacker, malware and victim. It encodes this data “with RC4 encryption with the following key: [0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82],” the report states.

Once ensconced in a system, FallChill registers with its C2 server, transmitting the system's operating system (OS) version information, processor information, system name, local IP address information, unique generated ID, and MAC address. It's other built-in capabilities include the ability to retrieve information about the disks (including how much free space is available); search, read, write, move and execute files; and delete the malware and all of its artifacts.

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.